QUANTSTAMP REVIEW: Auditing Smart Contracts

in #cryptocurrency7 years ago

Today we will be talking about Quantstamp the best smart contract auditing protocol in the world. This is a coin with great potential for growth, to learn more, keep reading!

there is a video link at the end for those who prefer to listen

Quantstamp cover.PNG

What is Quantstamp?

Quantstamp is the protocol for securing smart contracts.
In other words it’s an auditing company that other blockchain projects can hire to test their smart contracts.

Why is this function needed?

A blockchain network itself is secure, meaning it cannot be hacked. But smart contracts that run the network are man-made and not secure, meaning they can be hacked or manipulated.

The most famous example of this was the DAO incident in June 2016, where a hacker stole $55 million Ethereum (which today is worth over $2.5billion) by hacking not the Ethereum network, but a smart contract. This incident eventually caused the fork between Etereum and Ethereum classic.

1.PNG
https://www.coindesk.com/understanding-dao-hack-journalists/

Another example was the Parity wallet being hacked in July 2017, resulting in millions of dollars being hacked.

So errors like this, really corrode confidence in blockchain projects because of the security risks. And furthermore ICOs are increasing being recognised as high risks investments, and no one wants to be the project that lost hundreds of millions of dollars.

Quantstamp protocol solves this problem by creating scalable and cost-effective system to audit smart contracts.

The way it works is as following.
3.PNG

The developer writes a smart contract that is checked by Quantstamp. The verified contract can be uploaded to the blockchain safely, but will also generate a report which can be private and encrypted or made public for others to see. The advantage of making a report public, is so that potential investors can see that the company’s smart contracts have been audited and be more confident about this. In today’s climate where there is increasing caution about upcoming ICOs, I can see this eventually becoming a standard step in ICO evaluation.

The technology for the audits is found in the validator node. This is essentially a heavily modified ethereum node equipped with formal auditing techniques. The process is run by contributors, who are basically the “miners” of the project. Once the smart contract has been checked and verified by the contributor, an escrow payment/ bounty will be released to the ctonributor, rewarding them for their work. The reward is paid by the original developer of the smart contract, who puts the deposit at the point of submission, and is in QSP (quantum) tokens.

This whole process is “trustless” which basically means it always check the end product and prevents manipulation of results. To further deincentivize bad actors, Quantstamp makes it expensive to do so, but collecting a “stake tokens” as collateral before the audit. So if there is an attempt to forge an audit, their deposits are slashed. This also prevents an attack on the network in this matter.

Now you might think, what if the contributor found a bug, but chose not to report it, can they then use it to exploit the client later on? The answer is no, because Quantstamp software itself will double check it and if it finds a bug that the contributor failed to report, Quantstamp will claim the bounty instead and fix the bug and the bad actor contributor gains nothing. So the entire bounty system is set up to encourage good behaviour.

The entire system is also scalable, so the bounty payment system is designed to be upgradeable to be fully automated, and so is the actual validation protocol.

Quantstamp are working towards a 100% automated protocol that is called the Secuity Audit Engine.
4.PNG

This is a simple diagram representation fo what it does, basically, it puts the smart contract though several checks before automatically producing a report and uploading it to the blockchain.

Currently Quantstamp is only checking Ethereum smart contracts, and that is because Ethereum as plaform hosts almost half of all the blockchain projects in the world. However, as a utility, Quantstamp is designed to be platform agnostic, meaning it should be able to be applied to other platforms e.g. Neo.

Besides checking projects, they can also check wallets, exchanges, anything that uses smart contracts.

Another interesting aspect of the project is called Proof-of-care:

Community members can sign up to Proof-of-Care which entitles them to airdrops for new tokens that Quantstamp audits! This sounds awesome, because everyone loves free crypto. But the catch is you have to proof you care for Quantstamp to participate.

18.PNG
https://medium.com/quantstamp/proof-of-hodl-announcement-d6de05a0d531

Here are some factors that will influence your caring score:

  1. Connect with the community — helping with recruitment, helping with reddit, participating in the telegram, making youtube videos, setting up physical communities and local meetups.
  2. Providing the Quantstamp team with advice — improving our whitepaper, website design, translating copy, etc.
  3. Doing work for the team — Telegram admins, Local language admins, github code contributors, translators.
  4. Your existing history of support with the Quantstamp project
  5. The super secret events for those that have proven they are the very best.
    Your proof of caring score will be based on the equation:
    Active Project Contribution + Community Involvement + Wallet Tracking Algorithm + History of Support = Your POC 2.0 Score

So it sounds like a lot of effort to be honest. They gave an example of a high scoring proof of care member who did the following:

Helped to clarify questions regarding the Quantstamp project, and encouraged people to join and follow official news sources
Participated in active discussions on the Quantstamp Technical telegram channel.
Entirely overhauled the Quantstamp reddit design with two other community members, including the reddit app interface for r/Quantstamp. Created a reddit sidebar as well as the welcome message, rules and FAQ for Quantstamp reddit users.
He is a current Moderator of the Quantstamp reddit.
Submitted a nice video of the CEO and my friends shouting “I LOVE QUANTSTAMP” in enthusiasm for the QSP fan film. :)
Constructed an FAQ for the Ink Protocol (XNK) airdrop on reddit.
Gave an answer on reddit regarding a question on how Quantstamp’s audit is different from Zeppelin’s audit.
Shared a post on my personal views on Quantstamp

So it was very impressive, but it made me lose all hope of ever getting a high score. Haha. As I like to say, most of us want to be investors not participants, I don’t like the idea of having to put all my time and money into one project to get airdrops, especially when my piece of the pie is likely very small compared to contributors like above.

Team:

They have an impressive big team, let me run through some of their resumes
5.PNG

  1. Their CEO is Richard Ma who is a former software engineer at Tower Research.
  2. The other Co-founder and CTO is Steven Stewart who is a former software engineer at Many trees Inc, and also a computer system analyst at the department of national defense (Canada) and software developer at Magnetic Forensics.
  3. VP of engineering is Evan Henshaw-Plath who was the lead engineer at Odeo the company that made twitter. He also led engineering teams at Palm, Yahoo and Digital Garage.
  4. Kacper Bak is another team member who is an expert at software modelling and verification who was previously employed at Mathworks, Opera,and Samsung.

They have a “blockchain department labs in Canada”, Im not sure why this is under different heading from the team, I tried looking it up but couldn’t find an answer. Anyways, the team members here include:
6.PNG

  1. Vajih Montaghami who is an expert in software verification, security infrastructure and scalable systems and previously worked for Amazon.
  2. Prit Sheth who before working at Quantstamp was a senior software engineer at Barclays and also a software engineer at Samsung mobile.

Are you impressed already? Because it gets better!

Their advisors include:
7.PNG

Evan Cheng- Director of engineering at Facebook, previously at Apple. Winner of ACM software system aware for designing and implementing LLVM. We’ve seen this name, he is someone who is very involved in more than one blockchain project.

Chris Miess—Former CFO at TENX, previously worked at Goldman Sachs and is also the CEO of Iconic partners.

And their supporters include:
8.PNG

Combinator, Blockfolio, Quoine etc… so prominent companies in the blockchain arena. Also noting Request network who was their first client to be reviewed. So it’s nice to know their clients can have such good opinions of them that they become their supporter after working with them.

So a very impressive team. You can certainly understand why they were one of the favorite ICOS in the last quarter of 2017.

Roadmap:

19.png

This is their roadmap. It’s a very busy roadmap that has something on every month, and it finishes in October this year. But that means their mainnet is released before that in August.

Coming up in April is the deployment of their test network and May will be their first Hackathon which is somewhat a popular thing in the tech world these days. Hackathon is an event where lot of tech savvy guys gather to brainstorm towards creating more useful softwares. So may see some new developments after this event.

If you go to their website, these guys already at work reviewing smart contracts and have already completed 353 audits.
9.PNG

So unlike some projects they can’t do anything until they launch mainnet, in this case, the roadmap is just to help them scale an already exisiting working product.

Also an additional update not on their roadmap is about marketing.
15.PNG

I love marketing because there is no use having a great product if no knows about it. So 3 days ago their CEO twitted that are going to start marketing now. So im interested to see what that will look like, because up til now with the Proof-of-care shilling, there’s already been some shilling, Il be keen to see what they will do next.

Just to mention as well, later today they will be having an AMA on reddit, so its likely more updates will comeout from that AMA. I did consider releasing this review tomorrow, so I could incorporate the AMA content into this video, but unfortunately I won’t have time this weekend to get to it, so please do check the AMA content out tomorrow yourself if you’re interested in this project.

So far, Quantstamp is looking great, do I have any concerns about the project? I don’t know if it would be considered concerns, but I do have some questions that I couldn’t find an answers to:

  1. We know the more a currency is used, the more the a currency price goes up. Currently Bounties are a significant portion of token transactions. But when Quantstamp goes fully automated, there won’t be any more bounties as everything will be done automated. Will that decrease the token value?

  2. The second is the cost of an audit. I could not find the details in their white paper about this. Their website says “25 QSP” to get an audit. But that’s like $3. That’s too little, I’m obviously missing something here. On their reddit, many people are saying it costs 200,000 QSP tokens, because it says on the request page “You must hold a minimum of 200,000 QSP to request an audit” some claim that was the original costs of an audit at ICO price, and the actual costs is about $15-20,000 USD.
    10.PNG

200,000 QSP at $0.13 works out to be $26,000 so its not far. A reddit though moderator wrote that the 200,000 qsp tokens are what you have as a deposit, but its not the actual cost of the audit. The actual costs is a flat flat fee of $20,000. But the moderator did add that he wasn’t “entirely sure” about the amount either. It matters a lot whether the payment is in fiat or tokens because fiat payments mean the company will grow as its services is used more but not necessarily the token. For token price to rise the token must be used.

9.PNG
https://www.reddit.com/r/Quantstamp/comments/7q4d76/audit_costs/

Also yesterday, there was an article from Tech crunch that posted an audit costs $500,000 dollars. Not tokens, just fiat.
12.png
https://techcrunch.com/2018/03/20/these-are-the-64-startups-unveiled-at-y-combinator-w18-demo-day-2/

So at this point, I don’t know what the costs of an audit is. In fact, I’m not convinced any of their community members know for sure, not even the moderators. According to the article which was released yesterday, they have 50 customers waiting for an audit, so depending on which price you go by, that’s either only $1million or potentially $25million in token transaction. Their current market cap is $81million so $25 million is about 1/3rd of the marketcap which is huge.

The other issue I wasn’t clear about was about the coin burn. A lot of their community posts seem to have this impression that half of the paid tokens get burnt, but a reddit moderator corrected it saying that because of SEC’s compliance the tokens are not burnt which would make it an investment token, but rather kept in reserve which made it a utility token. If that’s that case, what are the reserve tokens used for? In this case, there may actually be a coin burn firstly because their whitepaper does mention the coin burn and secondly because of the maths. They’ve completed 353 audits, if every audit burnt 100,000 tokens, that’s 35million burnt. They started the project with total supply of 1 billion tokens, but on coinmarketcap now, their total supply has decreased to 976million. So that 34million tokens gone. So it fits the calculations. If they really burn/ remove from the market half of each audit cost tokens, that is massive. But is there a limit? Most other projects with such token mechanics are very clear about the limit of burn per year and the overall limit for the whole project. E.g. 100million limit per year, down to a minimum of 100million tokens. Perhaps Quantstamp needs to be more transparent about their token mechanics as well.

One last thing about the token before I move on. The total supply is 974 million tokens, but their active current supply is 617million tokens. If they really charge 200,000 Qsp tokens for the 353 audits they have done. That’s over $70million. So more than 10% of their current supply. Surely that would have done something for the token price in the last quater, but that hasn’t been reflected in their price. Whether that was masked by the very bad market conditions we don’t know.

Quantstamp is currently only auditing Ethereum platform projects. Now there are currently just over 2000 blockchain projects, of which there are about 800-900 on the Ethereum network. Now Quantstamp has already audited 353 projects, if we assume that 50 of those were ICOs, that’s still about 300 ERC20 audits, meaning about 1/3 of the platform in a quater (3 months). If they continue at this rate, even if they audited every Ethereum project, they would run out of business by the end of this year. And they need new projects, because their earning mechanism is a once-off payment from each project. So basically they need to branch out to other platforms by the end of this year, hopefully, by the launch of their mainnet.

Also Ethereum uses a difficult programming language called Solidity, so projects are more likely to need help. But most newer platforms use more user friendly programming language like Java script and C++, so developers may be more confident and perhaps not feel the need to pay for an expensive audit.

That being said, the above consideration is a medium to long term consideration. As far as short term price predictions go, I do believe there is an available market that will have high demand for the services of Quantstamp.

One last piece of good news before I end,

11.png
https://www.bleepingcomputer.com/news/cryptocurrency/researchers-find-34-200-vulnerable-ethereum-smart-contracts/#.WqdcKO1kSoo.twitter

This is an article that was released earlier this month and it highlights the needs for services to audit smart contracts especially on Ethereum. This article actually points to Maian, a new protocol to detect faulty smart contracts. But at this point Maian doesn’t actually fix the smart contracts, so this is great, because who will those 34,200 faulty smart contracts come to for help to be fixed?  Quantstamp. $$

So those are the considerations and unanswered questions I have. It may sound like I am very critical of this project, but actually I really like this project. I just want to be careful about every aspect of the project before jumping in, especially the token mechanics. Because a project can be the best project in the world, but if the token price isn’t going to rise because of bad token mechanics, then there is simply no point for me to invest.

Ok, finally, lets end with price prediction.
13.PNG

At the moment the token price is $0.13 their all time high was sitting at $0.79, so just under $0.80. Their trade volume is currently 5million only which is very very small, furthermore, their bulk of the trading >70% is on Huobi, comepare to binance which is less than 25%. This is unusual and what it means is as a coin, they have fallen off the radar. On a big exchange like Binance where you have many top 100 coins, people have basically forgotten about Quantstamp.

Which is great from an investment point of view. If you look at what we can expect from here on, testnet in April, Hackaton in May, marketing starting now, 34,200 faulty smart contracts discovered recently on Ethereum with Quantstamp being the only external help available, 100,000 coin burn with every audit, mainnet launch by August which, overall, I expect Quantstamp to have an awesome year. 10-15x gains is very possible, considering just returning to their all time high would be a 6x gain. At their all time high, the market had a marketcap of 850billion, now we are sitting at 320billion. Experts expect us to end the year between 1-1.5 Trillion. So we should definitely end the year higher than the Jan high just inflation alone.

Going beyond this year, how Quantstamps performs next year will depend on 2 factors:

i) Whether auditing of smart contracts will be taken us a norm in the valuation of a blockchain project. I do think there’s a real chance this will happen, because if I am an investor and I have the choice between 2 equally attractive ICOs, and one has been audited and the other hasn’t its fairly clear to me who I will choose. If that ever happens, Quantstamp is going to explode, because every new coin will be coming to them for their stamp of approval.

ii) The second factor is whether Quantstamp can maintain its first movers advantage on the other blockchains. First movers advantage for any blockchain arena is an advantage, but in auditing its an essential. Imagine if another auditing protocol was launched today on NEO and they worked as fast as Quantstamp 353 audits/ quarter. Neo does not have 800 projects on its platform, in 6 months, all its current projects would have been audited by the competitor. And Audits are expensive fees that projects will only pay once, so if Quantstamps jumps on to a blockchain 6 months after a competitor, basically there would be no business left. Fortunately, there are no major threats yet. But major threats could pop up very quickly. Maian recently show they are able to scan and detect faults in smart contracts in bulk, imagine if they started to provide a service of fixing those faults. It would a very serious competitor in a very short period of time.

So I think this year, Quantstamp should have the lion share of the market and enjoy prosperity, I think now is not a bad time to jump onto it, assuming the general market doesn’t crash further, and next year is still an unknown depending on the above factors, but we are of course rooting for Quantstamp.

So that’s it for me guys! I hope this was helpful for you. If you liked this video, please hit that upvote and follow to help us build our channel and also to make sure you don’t miss out on any of our content.

Let us know in the comments below what you think of Quantstamp or any other thoughts you might have. Keep those requests coming in, this is a requested review from one of you, and we always love to hear what you want. Thanks so much for joining us! Have a great Friday, hope you’re chilling out and having fun wherever you are. We’ll see you guys tomorrow!

We are not professionals and this is not financial advice, just us sharing our thoughts with you. Always do your own research and make your own decisions.